Custom claims missing from tokens

Hi.

I am using a rule to add custom claims to tokens obtained using the resource owner password flow.

On two tenants, with identical app configurations, API configurations, rules and connections, one app obtains all custom claims, properly namespaced, and the other doesn’t.

I can’t seem to understand why this is happening. Is there a hidden grant I need to set?

Sample “stunted” jwt payload:

{
  "iss": "https://<xxx>.auth0.com/",
  "sub": "auth0|<xxx>",
  "aud": [
    "https://<xxx>.appspot.com/graphql",
    "https://<xxx>.auth0.com/userinfo"
  ],
  "iat": 1649396829,
  "exp": 1649483229,
  "azp": "<xxx>",
  "scope": "openid profile email offline_access",
  "gty": "password"
}

Sample valid token from the other tenant:

{
  "https://<namespace>/access": "ADMIN",
  "https://<namespace>/id": {},
  "https://<namespace>/memberNumber": {},
  "iss": "https://<xxx>.auth0.com/",
  "sub": "auth0|<xxx>",
  "aud": [
    "https://<xxx>.appspot.com/graphql",
    "https://<xxx>.auth0.com/userinfo"
  ],
  "iat": 1649397775,
  "exp": 1649484175,
  "azp": "<xxx>",
  "scope": "openid profile email offline_access",
  "gty": "password"
}

The rule is (abriged):

function (user, context, callback) {
  const namespaces = ['https://<xxx>'];
  namespaces.forEach(namespace => {
    user.app_metadata = user.app_metadata || {};
    context.idToken[namespace + '/access'] = user.app_metadata.access;
    context.accessToken[namespace + '/access'] = user.app_metadata.access;

    user.app_metadata.id = user.app_metadata.id || {};
    context.idToken[namespace + '/id'] = user.app_metadata.id;
    context.accessToken[namespace + '/id'] = user.app_metadata.id;

    // ...
  });
  callback(null, user, context);
}

Thank you in advance for guidelines and help.

Hi @argo,

I tested your rule, and everything worked okay for me, although I didn’t see a memberNumber claim as it’s not part of the rule you posted.

Make sure your namespace conforms to the Create Namespaced Custom Claims guidelines. Specifically, make sure it doesn’t include an Auth0 domain. You can try https://test to be safe.

1 Like

Hi @dan.woda , thank you for the reply.

The domain doesn’t include auth0.com. Like I said, the configuration is the same for both apps on two separate tenants, but everything just works fine on one tenant, while I don’t receive the custom claims for tokens on the other tenant.

I have tried every combination or permutation of settings I could think of. The only options left to investigate are adding some of the extension grants that might be relevant, or recreating the app from scratch.

So: the issue here was squarely with me.

I had reproduced the rule on the production tenant incorrectly, and custom claims were only being added to the id token as a result.

Case closed as far as I am concerned.

1 Like

Thanks for posting an update. Glad you figured it out!

1 Like